Cybersecurity Update, 06.12.2013.

americas-government

A few blocks north of the state Capitol — in a secure, heavily fortified portion of a building constructed to withstand the force of an EF5 tornado — two state cyber security analysts and a network specialist sit around a circular pod of computer screens.

Eyes dart back and forth as they carefully monitor the activities on nearly 30,000 state computers — looking for trouble.

Quite a few familiar headlines cropped up this week, with Edward Snowden leaking yet more classifying documents detailing the NSA’s cyber-espionage operations. The latest reports indicate that the agency infiltrated tens of thousands of networks around the world using specialized hardware designed from the ground up to collect sensitive information.

A slide dated 2012 outlines the NSA’s use of “Computer Network Exploitation” or CNE throughout more than 50,000 locations worldwide, spanning 20 “Access Programs” and five continents. SiliconANGLE CyberSecurity Editor John Casaretto observed that the agency uses the same tactics employed by hacktivists and cyber criminals to operate digital sleeper cells that can be activated as needed to siphon information from infected end-points.

WICHITA, Kan. — A Wisconsin truck driver who joined a cyberattack on Wichita-based Koch Industries was sentenced Monday to two years’ probation and ordered to pay $183,000 in restitution for the onslaught that briefly took the company’s website offline.

Comprehensive cyber security legislation heated up, but never really came to a boil. It will probably stay on the back burner for a while. Yet a framework for the federal government’s approach to protecting the nation’s critical infrastructure from cyber threats has emerged.

Government’s effort to safeguard such things as the power grid, transportation, and nuclear facilities was broadly outlined back in February with two White House initiatives: Presidential Policy Directive 21, “Critical Infrastructure Security and Resilience,” and Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.”

The Obama administration says its healthcare.gov website is much improved and far less crash-prone, but cybersecurity experts warn that using it is an invitation to hackers and identity thieves.

David Kennedy, a former NSA analyst whose company TrustedSec is hired by big companies to test the security of their computer systems, told CNBC that the Obamacare website is a worst-case online scenario.

The Department of Homeland Security has failed to follow many of its own cybersecurity policies, exposing the agency’s networks to unnecessary risks, according to federal auditors.

An inspector general’s report last month faulted the department for using outdated security controls and Internet connections that are not verified as trustworthy, as well as for not reviewing its “top secret” information systems for vulnerabilities.

Spending on cybersecurity from federal contracts will grow to $11.4 billion in 2018, according to a Deltek report released Wednesday. The amount projected is up from $9 billion over the 2013 calendar year, for an increase of almost 27 percent over the five year span.

The National Security Agency is gathering nearly 5 billion records a day on the whereabouts of cellphones around the world, according to top-secret documents and interviews with U.S. intelligence officials, enabling the agency to track the movements of individuals — and map their relationships — in ways that would have been previously unimaginable.

The records feed a vast database that stores information about the locations of at least hundreds of millions of devices, according to the officials and the documents, which were provided by former NSA contractor Edward Snowden. New projects created to analyze that data have provided the intelligence community with what amounts to a mass surveillance tool.

A U.S. senator has asked 20 automobile manufacturers how each plans to stave off wireless hacking attempts on vehicle computer systems, as well as prevent violations of driver privacy.

“I write to request information regarding your company’s protections against the threat of cyberattacks or unwarranted invasions of privacy related to the integration of wireless, navigation and other technologies into and with automobiles,” wrote Sen. Ed Markey, D-Mass, in a letter to Daniel Akerson, CEO of General Motors, on Monday (Dec. 2).

Just before Thanksgiving, the President’s Council of Advisors on Science and Technology (which has among its membership luminaries such as Eric Schmidt of Google and Shirley Ann Jackson, the President of Renssalaer Polytechnic Institute) issued a report on “Immediate Opportunities for Strengthening the Nation’s Cybersecurity.” Here’s the Executive Summary highlights (though the whole report is worth reading):

The administration is pushing to update federal acquisition regulations to incorporate cybersecurity standards into agency purchasing decisions, according to a top White House official.

Michael Daniel, White House cybersecurity coordinator, said Thursday at the 2013 SINET showcase in Washington that the use of cybersecurity standards in how agencies evaluate products and services is a “growing area.”

americas-private sector

When critical information passes through international borders, the laws and practices protecting intellectual property from cyberhackers become murky to enforce.

In the U.S., pending legislation to beef up protections for companies that share cyberattack information with the government has been controversial. Add to that an international climate bereft of adequate enforcement and consistent IP protections and it makes for a corporate counsel’s nightmare, attorneys say.

Microsoft Security Blog recently published a series of whitepapers and videos designed to help companies better understand the risks posed by cyber threats.

Some of the papers cover potential adversaries to be aware of, targeted attacks, Pass-the-Hash (PtH) attacks, and best practices. The videos also offer techniques to mitigate threat and harm to vital networks. You can find the videos and the whitepapers here.

The Redmond, Washington-based company has released an advisory about a bug in its earlier version of operating systems Windows XP and Server 2003 that could allow hackers to take control of a computer. According to the advisory, hackers have aggressively exploited the zero-day vulnerability of these systems.

Behind every botnet, phishing scheme, malware infection, DDoS attack, and advanced persistent threat is a person or group of people. Their motives range from financial gain and revenge to political activism and national security, but their actions are similar — enter your network and either collect/manipulate data and/or damage your systems.

What does cyber security mean, what does it affect, why is it becoming critical, and what can you do about it? Those were some of the questions I addressed in a recent webcast on automotive cyber security, hosted by SAE International. I represented the software side of things and was accompanied by my hardware colleagues Richard Soja and Jeffrey Kelley, who work at Freescale and Infineon respectively.

Last month, Reuters reported how Edward Snowden obtained log-in data from 20 to 25 former co-workers in order to access parts of the classified material that he leaked later on.

The headline draws attention on the threat potential of social engineering, which TechRepublic called security’s weakest link. The online magazine quoted security researcher Aamir Lakhani saying that “[e]very time we include social engineering in our penetration tests we have a hundred percent success rate.”

Digital privacy services such as encrypted e-mail, secure instant messaging, and services that provide hard-to-track IP addresses are enjoying a surge in demand as individuals and businesses seek to protect information from spies and hackers in the wake of the National Security Agency’s (NSA) surveillance program revelations. These services promise security, but may also slow down computer performance. Moreover, they are not likely to deter those who are determined to hack into a particular computer network.

A comprehensive cyber incident response plan will include the ability to access “a network of experts” to help address the variety of issues businesses could encounter following a breach of their IT infrastructure security, an expert has said.

About 2 million accounts at popular social networking and other websites, including Facebook, Twitter, Google, Yahoo and LinkedIn, have been breached since Oct. 21, according to a Chicago-based cyber security firm.

Trustwave, which first reported the breach on its SpiderLabs blog, told CNN the breaches include 1,580,000 website logins and 320,000 email account credentials stolen, in addition to other account information.

international

Australia – The research paper, to be presented at a cyber security conference in Perth, reveals how researchers discovered the government information amongst a “treasure trove” of confidential material on the discarded memory sticks.

With millions of devices now connecting to the Internet and in many cases, running embedded operating systems like Android, these devices are becoming a magnet for cyber criminals to hack into, Symantec Director, Technology Sales(India and SAARC), Tarun Kaura told PTI.

The computing infrastructure of UK banks and markets have come under attack in the past six months, revealing vulnerabilities that could potentially lead to “significant” losses across the banking industry, the Bank of England (BoE) has revealed.

The disclosure appeared in the bank’s Financial Stability Report, in a section titled “Short-term risks to financial stability”. The attacks, which appear not to have been previously disclosed outside of the financial sector, caused disruption to banking services, according to the report.

BANGALORE, INDIA: The average cost of multimedia files that a user might lose from a device as a result of a cyber attack or other damage is estimated at $418, according to this year’s Consumer Security Risks Survey, conducted by B2B International and Kaspersky Lab.

Many of these losses could be prevented, but after users purchase digital content they often fail to take appropriate steps to ensure that content is secure.

European Union leaders will call for more coordination on cyber security and unmanned aircraft when they meet in Brussels this month, according to a Dec. 2 draft of summit conclusions.

The EU will step up its efforts to ward off hacking of public and private websites, to protect European troops on peacekeeping missions and to fight child pornography. The Dec. 19-20 summit will endorse calls by EU foreign policy chief Catherine Ashton for a “cyber defense framework” in 2014, the document said. It made no reference to allegations by former National Security Agency contractor Edward Snowden that the U.S. monitored German Chancellor Angela Merkel’s mobile phone.

The Committee on Assessing the Dangers of the Israeli Telecom Towers Directed Toward Lebanese Territory reported to the Parliament of Lebanon that Israel is waging “cyber war” on the nation, according to Press TV.

Data streams from US financial companies and foreign governments sent out over the Internet are being rerouted by computer hackers – diverted to overseas locations where they can be spied upon or altered, then shot along to their expected destination with barely a delay and nobody the wiser, cyber-security experts say.

Russian cyber security company Kaspersky Lab listed their take on the year’s top security stories on Monday. And two quick takeaways: the cloud is dead, encryption services will come back strong.

No surprise, the IT firm led by the charismatic Eugene Kaspersky put cyber espionage on the top of their list. This year saw a steady flow of blockbuster news about U.S. spy agencies eavesdropping on their political buddies from Brazil to Germany. Even secure governments have lost their privacy.

The European Union has taken steps to beef up cybersecurity in 2013, approving new rules to outlaw NSA surveillance tactics and codifying a new set of boundaries for what qualifies as personally identifiable information (PII).

But when will the EU put those rules into effect? Only after they are signed into law by each of the EU’s member states… which is taking a lot longer than initially expected and could drag well into 2014.

Prime Minister David Cameron raised the issue in talks with Chinese prime minister Li Keqiang during his visit to the far eastern giant, which has long been the focus of allegations about illicit use of cyberspace.

The PM said that Britain and China should work together on making the internet function properly to drive the economy forward without undermining privacy or security.